Osquery for Security Analysis

Take sixty seconds and imagine yourself in this scenario.

A production server that doesn’t normally communicate over the internet is exhibiting suspicious characteristics. It’s sending out weird bursts of network traffic to an external host you don’t know anything about. The traffic is encrypted, so network data won’t be helpful. You have to rely exclusively on host-based evidence to figure out what’s happening.

Now be completely honest with yourself.

Would you be able to come to a conclusion about whether an attack has occurred? Would you be able to do it quickly? Would you be 100% certain about your determination?

If you answered no to any of those, then you aren’t alone. The truth is, investigating things on the host is overwhelming. There are so many places to look: the registry, prefetch, disk artifacts, operating system logs…the list goes on.

The problem isn’t just the number of rabbit holes, its that each one requires a different tool to access and parse the data. A question as simple as “Did the malware execute after it was downloaded?” might require a combination of a dozen complicated and unmaintained open sources tools or a pricey commercial solution.

I always thought there needed to be a better, more consistent way to find host-based evidence. When I discovered Osquery, I knew I had found it.

Osquery is a free endpoint visibility tool originally developed by Facebook. Osquery sees every endpoint device on your network as a database. This provides three benefits to security analysts:

Benefit #1: Simple questions, simple answers

Seeing a system like a database means you can ask questions in the form of database queries. Common evidence locations exist as tables that you can explore using SQL. The beauty is that these tables and the query language are mostly consistent across all your hosts. Write the query once and use it over and over again.

Benefit #2: Ask questions at scale

If you run into something weird, you’ll probably ask “Have I seen this on another host?” Pairing Osquery with Kolide Fleet (also free) provides a centralized console for querying every host across your network. You’ll know quickly if that suspicious process is actually malware or something the entire accounting department runs.

Benefit #3: It works everywhere

Osquery runs on Windows, macOS, and nearly every modern version of Linux. That means you can use it across your entire environment. That’s more than most EDR tools can claim.

Osquery is one of the most effective ways to perform host-based investigations at scale on your network.

Now, I’m excited to offer an online course dedicated to teaching you how to use Osquery to become a better investigator.

Introducing…

Osquery for Security Analysis will teach you how to use Osquery to perform thorough investigations of hosts on your network. This isn’t just an Osquery tutorial; it’s a course designed to help you improve your host-based investigation skills using one of the best tools for the job.

You’ll learn:

How to craft SQL queries to interrogate Windows, Linux, and MacOS hosts

Common queries for performing software inventory and asset control

Strategies for interrogating processes to determine if they are malicious

Techniques for uncovering persistence and lateral movement

Triaging suspicious systems using high-value data tables

Hunting leveraging MITRE ATT&CK techniques

Complete deployment of distributed Osquery across your network using Kolide Fleet and ElasticStack

How to leverage differential queries to monitor state changes and generate alerts

Extending Osquery with extensions

If you want to level up your host-based investigation skills using one of the best open source tools available, Osquery for Security Analysis is the course you’re looking for.

Osquery for Security Analysis Includes:

Over 5 hours of demonstration videos. These videos will break down the concepts and skills you need to become adept at using Osquery and improve your host interrogation skills.

Hands-on labs to help you develop and test your skills. You’ll complete lab exercises by downloading compromised virtual machines and using Osquery to figure out what happened. You’ll also complete a final challenge using Kolide Fleet to investigate multiple systems in a real-world scenario.

Our Osquery investigation cheat sheet. We’ve picked our favorite queries and combined them into a quick reference cheat sheet. I keep mine in my desk drawer and use it all the time!

Participation in our student charitable profit sharing program.A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.

Frequently Asked Questions

Is this course live?This is NOT a live course. It’s an online video course you can take at your own pace.

How long do I have access to the course material?You have access to the course for six months following your purchase date. If you need more time, you can extend your access for a small monthly fee.

Are there any prerequisites or lab requirements for this course?This course is designed for all security practitioner skill levels and assumes no prior Osquery or host-based forensic experience. To complete the lab exercises your system must be capable of running a virtualization platform such as VMWare or VirtualBox as you’ll be asked to download and run virtual machines. Additional lab exercises are conducted entirely via Fleet access in the web browser.

How much time does it take to do this course?Given the amount of content, it takes people dramatically different times to complete the material. If you focus all your time on it, you can complete everything in about a week. Most choose to spread it out over a few weeks as they take time to practice the concepts demonstrated.

How many CPEs/CMUs is this course worth?Organizations calculate continuing education credits in different ways, but they are often based on the length of the training. This course is approximately 5 hours of video content, plus the time you spend on the lab exercises. For most, we anticipate between 10 and 20 hours spent on the course. You’ll receive a certification of completion once you’ve finished the course.

Do you offer discounts for groups from the same organization?Yes. To inquire about discounts or group invoices please contact us at info@appliednetworkdefense.com.

Meet the Course Author – Josh Brower

Josh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last decade focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners – helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.